SmoothCriminal: Sandbox Detection Via Cursor Speeds!

Posted: 2 years ago by @pentestit2542 viewsUpdated: July 22, 2017 at 5:05 am

It’s that exciting time of the year folks when new people from the security walks of life throng to casinos in the desert. Yes! I am talking about Black Hat, BSidesLV, DefCon. Bringing to you a part of utility that will be completely released at BSidesLV – SmoothCriminal, which demonstrates an anti-­VM & anti-sandbox technique that is used by some malwares today.

What is SmoothCriminal?

SmoothCriminal is an open source script in Python that helps you determine the presence of a sandbox calculating the cursor movement speed. It is one of the most simpler methods used by malwares to bypass sandboxes by monitoring mouse movements. However, there is a difference in how it is being done in this open source script. Most tools out there look if the mouse moved at all or not. But SmoothCriminal – as the name suggests – checks if the movement was smooth by applying basic calculus which I must say is pretty accurate. For example, these were my findings:

If you see the “Castles made of sand” message you know that the script is being run in a “sandboxed” environment. This is what the mean & max arguments mean:

Mean: The script will accumulate the mouse speed values (only if a movement occurred) and will return the average of all speeds. In a sandbox, the cursor only jumps so the average will be much higher. It is executed with the -mean flag.

Max: It will run similarly, yet instead of the average it will return the maximal speed. This technique can trigger a false positive if a flesh and blood user moves its cursor extremely fast. It is executed with the -max flag.

I agree, I was able to fool the script once using the -max flag. But not with the -mean flag. All in all a very interesting implementation of this trivial technique.

Download SmoothCriminal:

The current version of this script can be downloaded from it’s GitHub repository here. All it needs is win32api, which limits it.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!